sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 05:04:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

added new option --space

Browse Source
This commit is contained in:
Miroslav Stampar 2010-09-24 21:59:03 +00:00
parent 327bfcbe97
commit 9cd5d3bde7
3 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
lib/core/agent.py
View File

@ -28,6 +28,7 @@ from xml.etree import ElementTree as ET
from lib.core.common import randomInt from lib.core.common import randomInt
from lib.core.common import randomStr from lib.core.common import randomStr
from lib.core.common import replaceSpaces
from lib.core.convert import urlencode from lib.core.convert import urlencode
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
@ -119,7 +120,7 @@ class Agent:
retValue = paramString.replace("%s=%s" % (parameter, value), retValue = paramString.replace("%s=%s" % (parameter, value),
"%s=%s" % (parameter, newValue)) "%s=%s" % (parameter, newValue))
return retValue return replaceSpaces(retValue)
def fullPayload(self, query): def fullPayload(self, query):
if conf.direct: if conf.direct:
@ -160,7 +161,7 @@ class Agent:
query += string query += string
return query return replaceSpaces(query)
def postfixQuery(self, string, comment=None): def postfixQuery(self, string, comment=None):
""" """
@ -198,7 +199,7 @@ class Agent:
else: else:
raise sqlmapNoneDataException, "unsupported injection type" raise sqlmapNoneDataException, "unsupported injection type"
return string return replaceSpaces(string)
def nullAndCastField(self, field): def nullAndCastField(self, field):
""" """
@ -233,7 +234,7 @@ class Agent:
# SQLite version 2 does not support neither CAST() nor IFNULL(), # SQLite version 2 does not support neither CAST() nor IFNULL(),
# introduced only in SQLite version 3 # introduced only in SQLite version 3
if kb.dbms == "SQLite": if kb.dbms == "SQLite":
return field return replaceSpaces(field)
if field.startswith("(CASE"): if field.startswith("(CASE"):
nulledCastedField = field nulledCastedField = field
@ -241,7 +242,7 @@ class Agent:
nulledCastedField = queries[kb.dbms].cast % field nulledCastedField = queries[kb.dbms].cast % field
nulledCastedField = queries[kb.dbms].isnull % nulledCastedField nulledCastedField = queries[kb.dbms].isnull % nulledCastedField
return nulledCastedField return replaceSpaces(nulledCastedField)
def nullCastConcatFields(self, fields): def nullCastConcatFields(self, fields):
""" """
@ -274,7 +275,7 @@ class Agent:
""" """
if not kb.dbmsDetected: if not kb.dbmsDetected:
return fields return replaceSpaces(fields)
fields = fields.replace(", ", ",") fields = fields.replace(", ", ",")
fieldsSplitted = fields.split(",") fieldsSplitted = fields.split(",")
@ -287,7 +288,7 @@ class Agent:
delimiterStr = "%s'%s'%s" % (dbmsDelimiter, temp.delimiter, dbmsDelimiter) delimiterStr = "%s'%s'%s" % (dbmsDelimiter, temp.delimiter, dbmsDelimiter)
nulledCastedConcatFields = delimiterStr.join([field for field in nulledCastedFields]) nulledCastedConcatFields = delimiterStr.join([field for field in nulledCastedFields])
return nulledCastedConcatFields return replaceSpaces(nulledCastedConcatFields)
def getFields(self, query): def getFields(self, query):
""" """
@ -346,7 +347,7 @@ class Agent:
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
concatenatedQuery = "%s+%s" % (query1, query2) concatenatedQuery = "%s+%s" % (query1, query2)
return concatenatedQuery return replaceSpaces(concatenatedQuery)
def concatQuery(self, query, unpack=True): def concatQuery(self, query, unpack=True):
""" """
@ -431,7 +432,7 @@ class Agent:
elif fieldsNoSelect: elif fieldsNoSelect:
concatenatedQuery = "'%s'+%s+'%s'" % (temp.start, concatenatedQuery, temp.stop) concatenatedQuery = "'%s'+%s+'%s'" % (temp.start, concatenatedQuery, temp.stop)
return concatenatedQuery return replaceSpaces(concatenatedQuery)
def forgeInbandQuery(self, query, exprPosition=None, nullChar="NULL"): def forgeInbandQuery(self, query, exprPosition=None, nullChar="NULL"):
""" """
@ -509,7 +510,7 @@ class Agent:
inbandQuery = self.postfixQuery(inbandQuery, kb.unionComment) inbandQuery = self.postfixQuery(inbandQuery, kb.unionComment)
return inbandQuery return replaceSpaces(inbandQuery)
def limitQuery(self, num, query, field=None): def limitQuery(self, num, query, field=None):
""" """
@ -601,7 +602,7 @@ class Agent:
if orderBy: if orderBy:
limitedQuery += orderBy limitedQuery += orderBy
return limitedQuery return replaceSpaces(limitedQuery)
def forgeCaseStatement(self, expression): def forgeCaseStatement(self, expression):
""" """
@ -620,7 +621,7 @@ class Agent:
@rtype: C{str} @rtype: C{str}
""" """
return queries[kb.dbms].case % expression return replaceSpaces(queries[kb.dbms].case % expression)
# SQL agent # SQL agent
agent = Agent() agent = Agent()

6
lib/core/common.py
View File

@ -1404,3 +1404,9 @@ def longestCommonPrefix(*sequences):
def commonFinderOnly(initial, sequence): def commonFinderOnly(initial, sequence):
return longestCommonPrefix(*filter(lambda x: x.startswith(initial), sequence)) return longestCommonPrefix(*filter(lambda x: x.startswith(initial), sequence))
def replaceSpaces(query):
if query:
return query if conf.space is None else query.replace(' ', conf.space)
else:
return query

3
lib/parse/cmdline.py
View File

@ -194,6 +194,9 @@ def cmdLineParser():
injection.add_option("--threshold", dest="thold", type="float", injection.add_option("--threshold", dest="thold", type="float",
help="Page comparison threshold value (0.0-1.0)") help="Page comparison threshold value (0.0-1.0)")
injection.add_option("--space", dest="space",
help="Use defined string instead of standard ' '")
injection.add_option("--use-between", dest="useBetween", injection.add_option("--use-between", dest="useBetween",
action="store_true", action="store_true",
help="Use operator BETWEEN instead of default '>'") help="Use operator BETWEEN instead of default '>'")